[MeshBox-radius] RE: Radius stuff...

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Andy/Bob/E,

Bob & E, get Andy "up to speed" on what we're trying to do.  I have
asked him to help us with the RADIUS server (and to work with E on
this).

>Do you really want to write your own RADIUS server?

Oh, of course not!  We're going to use FreeRadius.

We're just putting some other stuff on there as well.  If you could help
E get everything up and running, that would be great.    

Actually, let me put you in contact with "E" and Bob.  They'll be able
to explain a bit, and get you up to speed on what we're doing.

What I need your "expertise" is for the RADIUS server (the
authentication server).  Maybe "coach" E along, and help him get
everything up and running.  Then I'll explain the even bigger problem
what we're working on.  ;-)

Are you familiar with BIND at all?

     Mark

P.S. Our authentication servers need this:

1) Linux
2) FreeRadius
3) MySQL (to store the user accounts)
4) NoCat (to act as a Captive Portal/WI-FI authentication)

Actually, let me give you a brief "synopsis" of how things work.

1) There will be an authentication server (FreeRADIUS)
2) There will be "meshboxes" which are set top boxes for surfing the
internet, etc.  These boxes also act as wireless "Access Points" on the
mesh network.
3) There will be "roaming clients" (PDA's, laptops, etc.) that will use
the MeshBox's to connect to the internet.

I believe we should use something like this:

1) Setup authentication server (RADIUS).
2) MeshBox's authenticate to Authentication Server via 802.1x.  
3) User database is stored on authentication server. (along with
login/passwords)
4) Roaming users, come in contact with a meshbox... the "captive portal"
requests authentication from the wireless user.  The login/password is
entered into the "splash page".  This request (from the wireless side)
is sent via the Ethernet side to the authentication server.  If the
authentication server verifies that the user login/password is correct
then it allows the WI-FI user to connect/use the network (and surf the
web, send mail, etc.)

The problem I'm having (and looking to you for advice) is NOT the WIFI
side, this is already done.  It's the "backbone" side between meshboxes
and the authentication (FreeRADIUS) server(s).  What do you suggest that
we use?  802.1x, correct?

We need help setting it up (E, read the FreeRadius docs) and we need to
make sure that the backbone (between meshbox & auth server) is as secure
as humanly possible.  We need to make sure that the network couldn't
"hi-jacked", or a rogue meshbox (or wireless user) couldn't sniff/steal
passwords or join the network.

          Mark

-----Original Message-----
From: Andy Walden [mailto:an...@ti...] 
Sent: Monday, February 24, 2003 8:11 AM
To: Mark Malewski
Subject: RE: [sg-dc] Radius stuff...

On Mon, 24 Feb 2003, Mark Malewski wrote:

> <Laughing>  Oh... you'll see!  Give me a few days, I'm trying to sort
> through some much write now (too much on my plate at the moment).  But
> I'm going to put you on a team... and have you help lead the
development
> of our RADIUS authentication server.

Do you really want to write your own RADIUS server?

> I'll explain all the details, just let me sort through my mailbox...

Okay.

> Did you join the mailing lists?  I'll ask Bob, and E, to contact
you...
> and "bring you up to speed" on what we're doing.

Yes. Thanks.

andy

--
PGP Key Available at http://www.tigerteam.net/andy/pgp